LinuxQuestions.org - Lots of Martians in my Syslog

Hello All,

I've recently been getting lots of this error in my syslog:

Code:

Dec 10 14:38:46 spikey kernel: martian source 24.117.175.67 from 127.0.0.1, on dev eth0

Dec 10 14:38:46 spikey kernel: ll header: 00:40:95:d0:04:f6:00:08:20:cb:08:8c:08:00

Dec 10 14:49:48 spikey kernel: martian source 24.117.175.67 from 127.0.0.1, on dev eth0

Dec 10 14:49:48 spikey kernel: ll header: 00:40:95:d0:04:f6:00:08:20:cb:08:8c:08:00

These messages seem to come in about every 10 or 20 minutes over the course of several hours, then there will be a gap of a few hours then it starts up again. The weird thing is the 24.117.175.67 is my IP and the first set of numbers after the header is the mac address to my external interface. I thought the packets were coming from my own machine, at first. I found a few people on this forum who have seen similar issues, but I haven't found any who have resolved it. It sounds like these "martian source" errors could be one of two things:
1. Misconfigured Network
2. Malicious Attacks from spoofed IP addresses.

I've been trying to figure out which one it is because if it is a network configuration issue I want to fix it. If it's a hacker, I'd like to know too. Recently, I've found a tool that is most useful. tcpdump. I ran it looking for stuff coming in from 127.0.0.1 and it spit out stuff like this:

Code:

14:49:48.917605 localhost.http > 24-117-175-67.cpe.cableone.net.1012: R 0:0(0) ack 836894721 win 0

15:09:21.954525 localhost.http > 24-117-175-67.cpe.cableone.net.prospero-np: R 0:0(0) ack 988610561 win 0

So, I see an interesting thing in this log: ".1012" and ".prospero-np", this makes me think that it's actually hackers. What do the experts on this forum have to say?

Thanks for any input.

-Greg